mod_http_oauth2: Reduce authorization code validity time to 2 minutes
RFC 6749 states
> A maximum authorization code lifetime of 10 minutes is RECOMMENDED.
So 15 minutes was way too long. I was thinking 5 minutes at first but
since this should generally be instant, I settled on 2 minutes as a
large guesstimate on how slow it might be on slow links.
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Nov 22 18:39:55 2020 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Nov 22 18:46:25 2020 +0100
@@ -15,7 +15,7 @@
local codes = module:open_store("oauth2_codes", "map");
local function code_expired(code)
- return os.difftime(os.time(), code.issued) > 900;
+ return os.difftime(os.time(), code.issued) > 120;
end
local function oauth_error(err_name, err_desc)